Skip to content

build(security): hash-pin pip installs, corepack pnpm, digest-pin ruby image, dependabot docker#163

Merged
debugmcpdev merged 3 commits into
mainfrom
fix/scorecard-pinning
Jul 9, 2026
Merged

build(security): hash-pin pip installs, corepack pnpm, digest-pin ruby image, dependabot docker#163
debugmcpdev merged 3 commits into
mainfrom
fix/scorecard-pinning

Conversation

@debugmcpdev

Copy link
Copy Markdown
Collaborator

Summary

OpenSSF Scorecard Pinned-Dependencies sweep (currently 6/10 with 14 warn lines):

  • New requirements/pip.txt + requirements/debugpy.txt — pin pip==25.0.1 and debugpy==1.8.14 by sha256 (every published wheel + sdist, so one file serves Linux/Windows/macOS). All pip installs switch to --require-hashes: ci.yml (both jobs), release.yml build-and-test, Dockerfile, docker/test-ubuntu.dockerfile. requirements/README.md documents the update procedure.
  • Dockerfile pnpm via corepack (corepack enable && corepack prepare pnpm@10.33.0 --activate) instead of npm install -g — corepack ships in the node base image and integrity-checks the activated version.
  • examples/ruby/remote-attach/Dockerfile: ruby:3.3-slim pinned by manifest-list digest.
  • Dependabot docker ecosystem added (/, /docker, /examples/ruby/remote-attach) so digest pins don't rot.
  • scripts/install-claude-mcp.sh / scripts/sync-to-wsl.sh: replaced npm install (which can't resolve this repo's workspace:* protocol at all) with pnpm install --frozen-lockfile.

Deliberately left unpinned-by-hash: the twine/build/tomlkit installs in release.yml pypi-publish and validate-secrets.yml — platform-dependent transitive closures would need a full pip-compile lockfile; not worth release-pipeline risk for the last 2 warn lines.

Verification

  • pip install --require-hashes --dry-run passes locally (Windows wheel path).
  • In the pinned images: corepack activation verified in node:22-slim@7af03b…; --require-hashes debugpy install + import verified in ubuntu:24.04@84e77d… with distro pip.
  • docker manifest inspect confirms the ruby digest resolves to the multi-arch manifest list.
  • Container Tests in CI rebuild the full image from the modified Dockerfile.

🤖 Generated with Claude Code

…y image, dependabot docker

OpenSSF Scorecard Pinned-Dependencies sweep (currently 6/10):

- New requirements/{pip,debugpy}.txt pin pip==25.0.1 and debugpy==1.8.14
  by sha256 (every published wheel + sdist, so one file serves Linux,
  Windows and macOS). All CI/workflow/container pip installs switch to
  'pip install --require-hashes -r ...': ci.yml (both jobs),
  release.yml build-and-test, Dockerfile, docker/test-ubuntu.dockerfile.
- Dockerfile installs pnpm via 'corepack enable && corepack prepare
  pnpm@10.33.0 --activate' instead of 'npm install -g' (corepack ships
  with the node base image and integrity-checks the activated version).
- examples/ruby/remote-attach/Dockerfile: FROM ruby:3.3-slim pinned by
  manifest-list digest.
- dependabot.yml gains a docker ecosystem entry (/, /docker,
  /examples/ruby/remote-attach) so digest pins do not rot.
- scripts/install-claude-mcp.sh and scripts/sync-to-wsl.sh used
  'npm install', which cannot resolve this repo's workspace:* protocol;
  switched to 'pnpm install --frozen-lockfile' (correctness + pinning).

Left as-is (documented decision): the twine/build/tomlkit installs in
release.yml pypi-publish and validate-secrets.yml -- their transitive
closures are platform-dependent and --require-hashes would need a full
pip-compile lockfile; not worth the release-pipeline risk for the last
2 warn lines.

Validated in the pinned images: corepack activation in node:22-slim and
--require-hashes debugpy install in ubuntu:24.04 both succeed; ruby
digest resolves to the multi-arch manifest list.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@debugmcpdev debugmcpdev merged commit d233ab9 into main Jul 9, 2026
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants